Updated: 2021/Apr/14

KADMIN(8)                   System Manager's Manual                  KADMIN(8)

     kadmin - Kerberos administration utility

     kadmin [-p string | --principal=string] [-K string | --keytab=string]
            [-c file | --config-file=file] [-k file | --key-file=file]
            [-r realm | --realm=realm] [-a host | --admin-server=host]
            [-s port number | --server-port=port number] [-l | --local]
            [-h | --help] [-v | --version] [command]

     The kadmin program is used to make modifications to the Kerberos
     database, either remotely via the kadmind(8) daemon, or locally (with the
     -l option).

     Supported options:

     -p string, --principal=string
             principal to authenticate as

     -K string, --keytab=string
             keytab for authentication principal

     -c file, --config-file=file
             location of config file

     -k file, --key-file=file
             location of master key file

     -r realm, --realm=realm
             realm to use

     -a host, --admin-server=host
             server to contact

     -s port number, --server-port=port number
             port to use

     -l, --local
             local admin mode

     If no command is given on the command line, kadmin will prompt for
     commands to process. Some of the commands that take one or more
     principals as argument (delete, ext_keytab, get, modify, and passwd) will
     accept a glob style wildcard, and perform the operation on all matching

     Commands include:

     add [-r | --random-key] [--random-password] [-p string |
     --password=string] [--key=string] [--max-ticket-life=lifetime]
     [--max-renewable-life=lifetime] [--attributes=attributes]
     [--expiration-time=time] [--pw-expiration-time=time]
     [--policy=policy-name] principal...

           Adds a new principal to the database. The options not passed on the
           command line will be promped for.  The only policy supported by
           Heimdal servers is `default'.

     add_enctype [-r | --random-key] principal enctypes...

           Adds a new encryption type to the principal, only random key are

     delete principal...

           Removes a principal.

     del_enctype principal enctypes...

           Removes some enctypes from a principal; this can be useful if the
           service belonging to the principal is known to not handle certain

     ext_keytab [-k string | --keytab=string] principal...

           Creates a keytab with the keys of the specified principals.
           Requires get-keys rights, otherwise the principal's keys are
           changed and saved in the keytab.

     get [-l | --long] [-s | --short] [-t | --terse] [-o string |
     --column-info=string] principal...

           Lists the matching principals, short prints the result as a table,
           while long format produces a more verbose output. Which columns to
           print can be selected with the -o option. The argument is a comma
           separated list of column names optionally appended with an equal
           sign (`=') and a column header. Which columns are printed by
           default differ slightly between short and long output.

           The default terse output format is similar to -s -o principal=,
           just printing the names of matched principals.

           Possible column names include: principal, princ_expire_time,
           pw_expiration, last_pwd_change, max_life, max_rlife, mod_time,
           mod_name, attributes, kvno, mkvno, last_success, last_failed,
           fail_auth_count, policy, and keytypes.

     modify [-a attributes | --attributes=attributes]
     [--max-ticket-life=lifetime] [--max-renewable-life=lifetime]
     [--expiration-time=time] [--pw-expiration-time=time] [--kvno=number]
     [--policy=policy-name] principal...

           Modifies certain attributes of a principal. If run without command
           line options, you will be prompted. With command line options, it
           will only change the ones specified.

           Only policy supported by Heimdal is `default'.

           Possible attributes are: new-princ, support-desmd5,
           pwchange-service, disallow-svr, requires-pw-change,
           requires-hw-auth, requires-pre-auth, disallow-all-tix,
           disallow-dup-skey, disallow-proxiable, disallow-renewable,
           disallow-tgt-based, disallow-forwardable, disallow-postdated

           Attributes may be negated with a "-", e.g.,

           kadmin -l modify -a -disallow-proxiable user

     passwd [--keepold] [-r | --random-key] [--random-password] [-p string |
     --password=string] [--key=string] principal...

           Changes the password of an existing principal.

     verify-password-quality principal password

           Run the password quality check function locally.  You can run this
           on the host that is configured to run the kadmind process to verify
           that your configuration file is correct.  The verification is done
           locally, if kadmin is run in remote mode, no rpc call is done to
           the server. NOTE: if the environment has verify-password-quality
           configured to use a back-end that stores password history (such as
           heimdal-history), running verify-quality-password will cause an
           update to the password database meaning that merely verifying the
           quality of the password using verify-quality-password invalidates
           the use of that principal/password in the future.


           Lists the operations you are allowed to perform. These include add,
           add_enctype, change-password, delete, del_enctype, get, get-keys,
           list, and modify.

     rename from to

           Renames a principal. This is normally transparent, but since keys
           are salted with the principal name, they will have a non-standard
           salt, and clients which are unable to cope with this will fail.
           Kerberos 4 suffers from this.

     check [realm]

           Check database for strange configurations on important principals.
           If no realm is given, the default realm is used.

     When running in local mode, the following commands can also be used:

     dump [-d | --decrypt] [-fformat | --format=format] [dump-file]

           Writes the database in "machine readable text" form to the
           specified file, or standard out. If the database is encrypted, the
           dump will also have encrypted keys, unless --decrypt is used.  If
           --format=MIT is used then the dump will be in MIT format.
           Otherwise it will be in Heimdal format.

     init [--realm-max-ticket-life=string] [--realm-max-renewable-life=string]

           Initializes the Kerberos database with entries for a new realm.
           It's possible to have more than one realm served by one server.

     load file

           Reads a previously dumped database, and re-creates that database
           from scratch.

     merge file

           Similar to load but just modifies the database with the entries in
           the dump file.

     stash [-e enctype | --enctype=enctype] [-k keyfile | --key-file=keyfile]
     [--convert-file] [--master-key-fd=fd]

           Writes the Kerberos master key to a file used by the KDC.

     kadmind(8), kdc(8)

NetBSD 9.99                      Feb 22, 2007                      NetBSD 9.99